Ansible Vault Tutorial for beginners
If you have been using Ansible for a while you will have wondered if there is a way to encrypt your sensitive data or password information?
There is it’s called Ansible Vault.
In this Ansible Vault tutorial blog post I will show you how to keep all your password and sensitive data in encrypted files within Ansible.
For information this tutorial is being performed within Ubuntu 18.04 Desktop.
What is Ansible Vault?
Ansible Vault is a brilliant feature within Ansible that enables to you keep all your passwords and sensitive data in encrypted files as opposed to having it in plain text within playbooks or in vars. You either point Ansible Vault to the location of a password file or you can get Ansible to prompt for the password each time you run a playbook.
If you are looking for more information on Ansible Network Automation I have a course which will take you from zero to hero with Ansible.
Ansible Vault Best Practices
There are a few steps to setting up an Ansible vault.
- Create vault file using ansible-vault encrypt
- Specify vault password
- View encrypted file using ansible-vault view
Lets’s step through these steps in more detail.
Note: you do not need to install ansible-vault – it is part of the core code within Ansible
ansible-vault create
First we are going to need a file that we are going to encrypt. This can either be a new file created in the vault process or we can encrypt a file that already exists. Let’s look at a new file first.
Enter the command ansible-vault create <filename>.yml
In this example I created a file called test-vault.yml
I entered some data in the file and saved it.
Now if we look at the file
cat test.yml
You can see that the contents are encrypted
If we want to view that file we just enter the command:
ansible-vault view test-vault.yml
You will be prompted for a password and then you can see the contents of the file.
What if you wanted to encrypt a file that already exists? Simple.
ansible-vault encrypt
So you already have all your passwords and sensitive information in a file – in my case it is in ./group_vars/all.yml
This is the file
ansible_user: "roger"
ansible_ssh_pass"cisco"
ansible_network_os: "ios"
I am going to encrypt it and then run a playbook that needs that password information and see what happens.
First we will encrypt the file with the ansible-vault encrypt ./group_vars/all.yml command
ansible-vault encrypt ./group_vars/all.yml
You are prompted for a password and the file is encrypted.
To verify if we view the file we just see the encrypted data
Ansible Vault Playbook Example
Now I have a playbook called backup.yml which will need to access the data in /group_vars/all.yml
So let’s see what happens when we run the playbook?
We get an error: Attempting to decrypt but no vault secrets found
The reason for this is the all.yml file has been encrypted with Ansible vault and you need a password to access the data, however we did not tell Ansible how to get the password.
You can do this in a few ways
- Prompt for the password during the playbook run
- Specify the location to a password file during the playbook run
- Specify the location to the password in ansible.cfg
Let’s look at all 3 options
Prompt for the password during the playbook run
Just add this to the end of your playbook run command e.g
ansible-playbook backup.yml --ask-vault-pass
To the end of the playbook command and you will be prompted to enter a password on playbook run.
Ansible Vault Password file example
You can also have another file which contains your Ansible vault password. This file does need to be secured either by on machine permissions and also kept out of your Git repository.
Check out my other Git Tutorials
You then specify where this file is with this command
ansible-playbook backup.yml --vault-password-file vault-pass.txt
The contents of vault-pass.txt just needs to contain your password.
Specify the location of a password file in ansible.cfg
You can also specify the location of this file in the ansible.cfg file
vault_password_file = vault-pass.txt
Decrypting Encrypted Files
If you no longer want your file to be encrypted you can easily decrypt it using the folling code
ansible-vault decrypt <filename>
You will be prompted for the password you originally used to encrypt the file and it will then be unencrypted.
Changing the Password of Encrypted Files
If you want to change the password of your encrypted file you can use the command
ansible-vault rekey <filename>
You will be prompted for your original password and then your new password.
Note: you can also perform the encrypt, decrypt or rekey operation on multiple files at the same time.
Ansible is just one tool in the world of Network Automation, so I hope this tutorial has been helpful and please check out some other relevant posts below.
Other Ansible related posts:
- What is Ansible and how it works?
- Ansible Hosts File
- Ansible Network Automation Course
- Ansible for Network Engineers
- Ansible Training for Beginners
Ansible Documentation – https://docs.ansible.com/ansible/latest/user_guide/vault.html
Encrypt Sensitive Data with Ansible Vault FAQ
Ansible Vault Frequently Asked Questions
How do you secure secrets in Ansible?
Ansible Vault allows you to secure your secrets i.e passwords, API keys and sensitive information by encrypting them. Then to access the secrets you either have to provide the encryption password when running the playbook or store it in a secure place that the playbook can reference.
What is Ansible Vault?
Ansible Vault is a feature within Ansible that allows you to encrypt passwords and sensitive data rather than storing it all in plain text within a playbook or vars files. The encrypted data can be retrieved by supplying the password during a playbook run
Where is the Ansible Vault file?
Your vault file can be anywhere you want it to be, you simply encrypt the file you want to secure by using the command ansible-vault encrypt and then supply a password.
How do I decrypt Ansible Vault files?
If you want to decrypt an Ansible Vault file enter the command ansible-vault decrypt <filename>
How do I bypass Ansible vault password?
If you want to not have to enter the Ansible vault password each time you run a playbook you can create a password file in a secure location and then specify the location of that file either in your playbook run command or in your ansible.cfg file.
More Info
Ansible Vault Guide
Introduction to Ansible and Ansible Vault
Ansible is an open-source automation tool, or platform, used for IT tasks such as configuration management, application deployment, intraservice orchestration, and provisioning. It’s known for its simplicity and ease of use. In the realm of configuration management, one critical aspect is managing sensitive data, which is where Ansible Vault comes into play.
Ansible Vault is a feature of Ansible that allows users to keep sensitive data such as passwords or keys in encrypted files, rather than as plaintext in playbooks or roles. This feature enhances the security of Ansible deployments, ensuring that sensitive information is not exposed or compromised.
What is Ansible Vault?
Ansible Vault is a tool integrated within Ansible for securing sensitive data. It encrypts data with AES256 algorithm, providing a strong level of security. This is crucial when managing configurations that include sensitive elements like passwords, private keys, or other secrets.
Setting up Ansible Vault
To use Ansible Vault, you first need to have Ansible installed. The installation process varies depending on the operating system. Once Ansible is installed, Ansible Vault is available out of the box; there’s no separate installation needed.
Using Ansible Vault
- Creating Encrypted Files: Use
ansible-vault create <file_name>
to create a new encrypted file. You’ll be prompted to enter a password, which will be required to edit or view the file’s contents. - Editing Encrypted Files: To edit an encrypted file, use
ansible-vault edit <file_name>
. Again, you’ll need the password. - File Encryption and Decryption: You can also encrypt an existing file using
ansible-vault encrypt <file_name>
or decrypt it withansible-vault decrypt <file_name>
.
Best Practices for Using Ansible Vault
- Managing Vault Passwords: It’s crucial to securely manage the passwords for your vault files. Storing them in a password manager or using a password management system is recommended.
- Structuring Encrypted Data: Keep your encrypted data structured and organized. Consider encrypting only the sensitive parts of files instead of whole files when possible.
- Version Control Considerations: While it’s safe to store encrypted files in version control systems, avoid pushing unencrypted sensitive data.
Advanced Features of Ansible Vault
- Encrypting Individual Variables: Instead of encrypting whole files, you can encrypt individual variables within a playbook or a role.
- Multiple Vault Passwords: Ansible Vault supports the use of multiple vault passwords for different files, providing flexibility and enhanced security for complex environments.
- Integration with Automated Deployment Pipelines: Ansible Vault can be integrated into CI/CD pipelines for automated deployment, ensuring that sensitive data remains secure even in automated processes.
Troubleshooting Common Ansible Vault Issues
Addressing common errors like password mismatches or corrupted files is crucial. Ansible documentation provides a wealth of information for troubleshooting these issues.
Real-World Use Cases of Ansible Vault
Ansible Vault is used in a variety of IT environments – from small startups to large enterprises. It’s particularly useful in scenarios where IT infrastructure is managed as code, and sensitive data needs to be protected.
Real-World Use Cases of Ansible Vault
Understanding the practical applications of Ansible Vault can provide insight into how it fits into various IT environments. Here are some real-world scenarios where Ansible Vault proves to be an essential tool:
- Securing Credentials in Software Deployment: In a typical software deployment scenario, various credentials like API keys, database passwords, or SSH keys are necessary. Ansible Vault allows these credentials to be encrypted within the deployment scripts, ensuring that they are not exposed in plaintext in version control systems or to unauthorized personnel.
- Managing Environment Variables in DevOps Pipelines: Many organizations use different environments (development, testing, production) in their DevOps pipelines. Each environment may have unique credentials or configuration settings. Ansible Vault helps in securely managing these environment-specific variables, allowing seamless and secure transitions between stages.
- Compliance and Regulatory Requirements: Industries such as finance, healthcare, and government often have strict regulations regarding data security. Ansible Vault helps organizations comply with these regulations by providing a secure way to handle sensitive data, like personal identification information (PII), within their automation scripts.
- Multi-Tenant Systems: In scenarios where an IT infrastructure serves multiple tenants (like in cloud services or shared hosting environments), Ansible Vault can be used to manage and isolate sensitive data for each tenant securely. This isolation ensures that one tenant’s data is not accidentally exposed to another.
- Disaster Recovery: Ansible playbooks often play a role in disaster recovery processes. Ansible Vault ensures that sensitive data used in these playbooks, like access codes or recovery keys, is kept secure, which is crucial in scenarios where infrastructure needs to be rebuilt or restored securely and efficiently.
- Dynamic Inventory Management: For organizations managing a large and dynamic inventory of servers and applications, Ansible Vault allows for secure storage and management of the credentials needed for accessing and managing these resources.
- Secure Application Configuration: Applications often require configuration files that contain sensitive information. Ansible Vault can encrypt these files or the specific sensitive parts of these files, ensuring that the application’s configuration remains secure throughout its lifecycle.
- Collaboration in Distributed Teams: In distributed teams, playbooks and scripts might be shared among various team members and possibly across different geographical locations. Ansible Vault ensures that sensitive data within these shared resources remains encrypted, reducing the risk of accidental exposure.
- Automated Cloud Infrastructure Provisioning: When using Ansible for provisioning cloud infrastructure, sensitive details such as cloud provider API keys or server passwords can be encrypted using Ansible Vault, ensuring that automated processes do not compromise security.
- Securing Backup Scripts: Backup scripts often contain sensitive information, like database credentials or server access information. Ansible Vault helps in securing these scripts, ensuring that backup processes are not only automated but also secure.
Each of these use cases demonstrates how Ansible Vault plays a crucial role in various aspects of IT operations, especially in scenarios where security and compliance are paramount. By leveraging Ansible Vault, organizations can ensure that their automation practices are not only efficient but also adhere to the highest standards of data security and integrity.
Comparing Ansible Vault with Other Tools
While Ansible Vault is a powerful tool, it’s worth comparing with other tools like HashiCorp Vault, which offer different features and levels of complexity.
Future of Ansible Vault
The future of Ansible Vault is likely to include more integration with cloud services, enhanced usability, and stronger encryption standards, reflecting the evolving landscape of IT security.
Conclusion
Ansible Vault is a critical component of the Ansible automation tool, providing the necessary security for managing sensitive data. Its simplicity, combined with powerful features, makes it an essential tool for anyone using Ansible in their IT environment.
This guide provides a broad overview of Ansible Vault, covering its setup, usage, best practices, and more. For a complete guide that reaches 1800 words, more detailed explanations and examples in each section would be included.
Kundan
Hi Roger,
Thanks for posting important vedio .
I have a confusion if I want to use password as a variable and keep it in encrypted fro and declear in a task can I do that . Need your guidance for that and if yo
Roger Perkin
I don’t exactly understand your question.
Are you saying you want to use a password directly in your playbook?
The idea with Vault is all your passwords are kept in group_vars or host_vars and then you encrypt the entire file.
If you want to put the password in your playbook there is no way to hide / encrypt that?
Let me know?
Poger Rerkin
To bad that you did not show how to link the playbook with the vault. Why is this crucial step missing in every vault tutorial? How is ansible-playbook supposed to know that it should look for /random_var/ in /random_vault_file/?
Roger Perkin
You don’t have to link the playbook with the vault, your playbook will always try and find the variables in group_vars and host_vars it’s just if you have encrypted these files when the playbook tries to access the file it will fail as the contents are encrypted, you just need to give the playbook the options to access the file and I list all 3 in the post. Please explain more what you mean by link the playbook with vault? you are not changing Ansible default behaviour you are just hiding credentials from anyone who could get access to your server or code